Internal Controls = Fraud Prevention

Ohio Township Association Conference January 27, 2016

Introduction Donald R. Owens Shareholder Internal Audit and Risk Advisory Services CPA, CFF, CIA, CFSA, CRMA, CBA Schneider Downs & Co., Inc. 41 S. High Street Suite 2100 Columbus, OH 43215 Email: [email protected] Work Phone: (614) 586-7257 Cell Phone: (614) 271-8551 Fax: (614) 621-4062

2

Disclaimers IRS CIRCULAR 230 DISCLOSURE: Any tax advice contained in this communication (or in any attachment) is not included or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code, or (ii) for promoting, marketing or recommending to another party any transaction or other matter addressed in this communication (or in any attachment). The views expressed by the presenter do not necessarily represent the views, positions, or opinions of Schneider Downs & Co., Inc. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting, tax or legal advice or create an accountant-client or attorney-client relationship.

3

4

Presentation Take-Aways • Recognizing and assessing the various fraud threats in your environment • How to effectively design and conduct fraud risk assessment • Evaluating factors that contributed to corporate frauds

5

Recognize the Threat

6

Recognize the Threat

7

Recognize the Threat

8

Fraud and Its Faces • • •

Deliberate deception to secure unfair or unlawful gain Intentional deception of a person or entity by another made for monetary or personal gain Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.

9

Fraud “Fraud and stupidity look an awful lot alike.” - Alan Bachman, CFE, MBA Education Manager at ACFE

10

Agenda Fraud – Types of Fraud – Basics of Fraud – Statistics – Red Flags – Prevention Fraud Risk Assessment Internal Controls Whistleblower Programs Resources

11

Types of Fraud FraudulentFinancial Reporting • Revenues • Expenses • Impropervaluationor misclassification

MisappropriationofAssets • Cashtheft • Fraudulentdisbursements • Payrollfraud • Expensereimbursement • Capitalassets/inventory

Corruption • Bribery • Bidrigging/Kickbacks • Illegalpayments • Conflictsofinterest • Aidingandabettingfraud (moneylaundering)

AlmostalwaysmaterialͲ directly impactsthefinancials

MayormaynotbematerialͲ directlyimpactsfinancials

MayormaynotbematerialͲ indirectlyimpactsthe financials

Almostalwaysinvolvessenior Caninvolveanylevelof management employee

Caninvolveanylevelof employee

Controlsarelesseffectivein preventinganddetecting fraud

Controlscanbedifficultand expensivetoimplement. Requiresclosescrutinyof employeeactivitiesandcost todobusiness

Controlscanbeeffective, particularlywithregardtothose belowtopmanagement

12

Types of Fraud TheftofSensitiveData • Customerandemployee personalinformation • Proprietaryinformation/ tradesecrets • Patents,copyrights,other legallyprotected intellectualproperty

DefraudingCustomers • Intentionally misrepresentingproducts andservices • Inflatinginvoices/duplicate billings • Shortingorders/product

Compliance • Undocumented employees • Unrecordedwages • Unreportedaccidents • Manipulationofdata • Unfair,deceptiveacts

Mayormaynotbematerial/ measurableͲ indirectly impactsthefinancials

MayormaynotbematerialͲ directlyimpactsfinancials

MayormaynotbematerialͲ indirectlyimpactsthe financials

Caninvolveanylevelof employee

Caninvolveanylevelof employee

Caninvolveanylevelof employee

Controlscanbedifficultand expensivetoimplement

Controlscanbeeffective, particularlywithregardto thosebelowtopmanagement

Controlscanbeeffectiveat alllevels

13

Types of Fraud

Key Areas of Concern: – – – – – – – –

Credit and Debit Cards Corruption Billing Cash theft Payroll Personal expenses Vendor Related Party 14

Basics of Fraud

Know that... – Fraudsters are creative – Fraudsters appear trustworthy – Fraudsters are long-standing reliable employees – Fraudsters are active members of the community – Fraudsters are sitting in cubicles near to you – Fraudsters are becoming more tech-savvy 15

Basics of Fraud “82% of fraudsters had never previously been punished or terminated by an employer for fraud-related conduct.”

Source: ACFE Report to the Nations on Occupational Fraud and Abuse (2014)

16

Basics of Fraud Fraud or Not – Teller removes cash from vault for personal use – CFO withdrawals funds from operating account and payroll, creates unsupported receivable entries to balance the records – Procurement Manager directs payment to his accounts – Executive uses company assets for personal business – Risk Manager receives lucrative gifts from vendors

17

Basics of Fraud The Fraud Triangle Rationalization (JustificationofAct)

Opportunity

Need/Pressure/ Motivation

(ProcessandControls)

(Influences/Incentives)

18

Basics of Fraud The Fraud Diamond/Rectangle Incentive

Opportunity

(Influences/Motivation)

(ProcessesandControls)

Rationalization

Capability

(JustificationofAct)

(Competencytoexecute)

19

Basics of Fraud • An organization CANNOT control a fraudster’s rationalization for his/her actions • An organization CAN control the opportunities for the fraudster to commit the crime • Consider the capabilities of employees to commit the crime (competence to execute) 20

Basics of Fraud Escalation Fraud Theory

21

Basics of Fraud Consequences Job loss Reduction in future funding Civil law suits Criminal prosecution Destroyed reputation (both entity AND the individual) – Long-term impairment of operations – – – – –

22

Fraud Statistics Sources of Detection 0.6% 1.9%

1.9%

0.9%

2.8%

DetectionMethod 0.4%

2.4%

5.9%

6.2% 45.1%

15.3%

16.5%

2014AssociationofCertifiedFraudExaminersFraudStudy

23

Fraud Statistics

24

Tip InternalAudit ManagementReview ByAccident AccountReconciliation DocumentExamination ExternalAudit NotifiedbyPolice Surveillance/Monitoring Confession ITControls Other

Fraud Statistics

25

Fraud Statistics

26

Fraud Statistics

27

Fraud Red Flags Ethics and Fraud are so inter-connected. Without a strong ethical culture, fraud risk exponentially increases. In most fraud cases uncovered, indicators that a fraud was occurring were evident to others. However, human nature is to continue to trust those around us even when faced with evidence to the contrary. Misplaced Trust is a Great Facilitator of Fraud 28

Fraud Red Flags Fraud Opportunity Employee’s years of service X Number of key responsibilities residing with the employee X Organization’s complacency level with respect to validating controls and monitoring activities = Potential for fraud to be committed

29

Fraud Red Flags Employee Habits Lifestyle or behavior changes Personal debt or credit problems Refusal to take vacation or sick leave Excessive overtime Does not produce information voluntarily Volatile, arrogant, confrontational or aggressive when challenged – Indignant with respect to training a back-up – – – – – –

30

Fraud Red Flags Management – – – – – – –

Reluctance to provide information Dominates all decisions Overrides internal controls High employee turnover Unusual transactions made outside of the system Financial distress/exhibits stress Retains excessive authorities and duties (Lack of segregation)

31

Fraud Red Flags Operational Indicators – Large number of write-offs – Discrepancies between bank deposits and postings/books – Excessive/unjustified cash and/or adjusting entries – Incomplete/untimely bank reconciliations – Lack of support for or tracking of transactions

32

Fraud Red Flags Cash Receipts and Disbursements – Lack of segregation of key duties • Physical/Manual Duties • System Capabilities – Missing deposits – Absence of a cash receipt log – Lack of controls over management signature – Uncontrolled access to blank checks

33

Fraud Red Flags Purchasing – Lack of segregation of key duties – Excessive/unusual exceptions to purchasing policies – Uncontrolled access to the vendor master file – Vendors with employee names/addresses – Duplicate purchase orders – Copies of invoices used to pay vendors – Less than arms-length transactions and conflicts of interest – Undue influence

34

Fraud Red Flags Fixed Assets – – – –

Lack of segregation of key duties Lack of periodic inventory of assets Lack of asset tags/tracking Lack of physical security

35

Fraud Prevention MAIN TAKE-AWAY

“Awareness” 36

Fraud Prevention

37

Fraud Prevention • • • • • • • • • • • •

Adequate resources Robust hiring practices Periodic audits/reviews Conflicts of interest policies and practices Insist on adequate documentation Tone at the top Open door policy Culture of compliance and ethics On-going and required anti-fraud training Fraud reporting tool (hotline) Fraud risk assessments Strong internal controls

38

Fraud Risk Assessment

Developa FRA Framework

Populate fraudrisks

Rate Identify probability controlsand and assess impact alignment

39

Identify gaps

Remediation

Fraud Risk Assessment Identify Opportunities to Commit Fraud –

Create a profile that includes a list of the different areas in which fraud may occur and the types of fraud that are possible in each area (brainstorming, analysis of prior frauds, public information/Google alerts)

–

Consider the various types of schemes and scenarios that could occur within an organization

–

Don’t overlook information technology impact (enabler or deterrent)

40

Fraud Risk Assessment Measuring Fraud Risk Probability/Likelihood Prior instances, prevalence, and other factors, including volume of transactions and complexity, and number of people involved in the process should be considered • Remote • Reasonably possible • Probable

41

Fraud Risk Assessment Factors to Measure Probability – – – – – –

Controls or lack of Integrity of the organization Organizations are downsizing Budgets are decreasing Organizations are doing more with less Stressed and disaffected employees

42

Fraud Risk Assessment Measuring Fraud Risk Impact/Severity Should include financial, monetary, operational, reputational as well as criminal, civil and regulatory liability considerations • High • Moderate • Low

43

Fraud Risk Assessment Other Measures to Consider: – – – – –

Probability/likelihood Impact/severity Velocity/speed Frequency/persistence Direction of risk

44

Fraud Risk Assessment

45

Fraud Risk Assessment

46

Fraud Risk Assessment

47

Internal Controls

48

Internal Controls Designing and Implementing Controls •

•

Control Design –

Aligned with relevant fraud risks

–

Executed by competent and objective individuals

Control Effectiveness –

Evidence available to support whether control is operating as intended

–

Control executed at a frequency appropriate to the fraud risk

49

Internal Controls Types – Preventive – Intended to reduce the risk of fraud occurring to an acceptable level – Detective – Intended to flag potential risk that a fraud occurred in a timely manner – Persuasive – Tone and culture of the organization, its belief system – Competence – Aptitude to recognize when something is not right

50

Internal Controls Preventive Controls – Human Resources procedures • • • •

– – – –

Recruiting/hiring – smart, honest, ethical Background investigations Anti-fraud training Exit interviews

Restricted access (physical and system) Segregation of duties (limit keys to the kingdom) Authority limits Transaction-level controls – approvals, reviews

51

Internal Controls Detective Controls – Variance analysis – with communication and follow-up on unusual variances or items outside of thresholds – Comparison of internal data to external sources – Reconciliations – Surprise audits – Whistleblower hotline – Exit interviews (HR)

52

Internal Controls Detective Controls (cont.) – Independent reviews – Physical inspections and counts – Special audits – (e.g., expense reports, P-card, cash counts)

53

Internal Controls Persuasive Controls – – – – –

Formal code of ethics/conduct Whistleblower hotline Management setting appropriate example Positive workplace environment Honest and constructive feedback and recognition • Eliminate fear of delivering “bad news” • Treat employees with fairness • Organizational responsibilities clearly defined • Strong communication practices and methods • Direct communication vs. innuendo

54

Internal Controls Competence – Possesses required skill, knowledge, qualification, and/or capacity – Requires knowledge of expected outcomes and incentives to report – Is empowered to report concerns – Effectively performs the duties of ones positon – Has an awareness of the duties of those around them

55

Internal Controls

56

SEC/IRS/DOJ Whistleblower Programs IRS Program Rules •

The law provides for two types of awards. If the taxes, penalties, interest and other amounts in dispute exceed $2 million, and a few other qualifications are met, the IRS will pay 15 percent to 30 percent of the amount collected….

•

The IRS also has an award program for other whistleblowers generally those who do not meet the dollar thresholds of $2 million in dispute or cases involving individual taxpayers with gross income of less than $200,000. The awards through this program are less, with a maximum award of 15 percent, up to $10 million....

57

SEC/IRS/DOJ Whistleblower Programs DOJ and SEC The Dodd–Frank Wall Street Reform and Consumer Protection Act: • There have been several attempts to create special whistleblower incentives in the financial sphere specifically with protection from retaliation, which Dodd-Frank now does best: • Section 922 of the Act laid out critical incentives to bring forth whistleblowers, including (1) financial compensation, as well as, (2) protection under the law from criminal penalties. • Individuals who report valuable information to the SEC or DOJ on securities fraud like insider trading, fraud, money laundering, and so forth are entitled to up to 30% of any settlements that result in over $1 million payments collected .

58

SEC/IRS/DOJ Whistleblower Programs DOJ False Claims Act (nicknamed the “Lincoln Law”) • From 1986 to 2014, the United States government recovered $44 billion under the False Claims Act. More than two-thirds of this, about $30.3 billion, was recovered in cases filed by whistleblowers under the qui tam provisions of the False Claims Act. • Whistleblowers have received over $4.7 billion under the False Claims Act. In 2014 alone, whistleblowers helped recover approximately $3 billion and were awarded over $435 million.

59

SEC/IRS/DOJ Whistleblower Programs • The Securities and Exchange Commission today announced an expected award of more than $30 million to a whistleblower who provided key original information that led to a successful SEC enforcement action. • The Securities and Exchange Commission today announced a whistleblower award of more than $300,000 to a company employee who performed audit and compliance functions and reported wrongdoing to the SEC after the company failed to take action when the employee reported it internally. • Former UBS AG banker who went to prison after telling the Internal Revenue Service how the bank helped thousands of Americans evade taxes, secured a whistleblower award of $104 million, which is the largest individual federal payout in U.S. history. • The Department of Justice has paid nearly $3 billion in rewards to everyday citizens for reporting fraud. The average reward is $1.5 million. 60

SEC/IRS/DOJ Whistleblower Programs

Better a company promotes and encourages employees to report matters through an internal whistleblower hotline than to face the uncertainty associated with inquiries from the SEC, IRS, DOJ or other government agency responding to anonymous complaints received through the agency’s hotline.

61

Resources Ohio Auditor of State https://ohioauditor.gov/fraud.htm [email protected] Call 1-866-Fraud-OH (1-866-372-8364) AICPA Fraud Resource Center http://www.aicpa.org/INTERESTAREAS/FORENSICANDVALUATION/RE SOURCES/ The AICPA offers a variety of resources and training to assist CPAs in both public accounting and industry to help them improve their skills in the practice of fraud prevention, detection, and investigation.

62

Resources Association of Certified Fraud Examiners (ACFE) http://www.acfe.com/rttn.aspx Report to the Nations Frank W. Abagnale http://www.abagnale.com/company.htm Free resources are available on this site The Institute of Internal Auditors https://na.theiia.org/ttraining/Pages/F Fraud-Courses.aspx Browse a list of fraud courses offered by The IIA and fraud related materials

63

As one of the largest certified public accounting and business advisory firms in the region, Schneider Downs serves clients throughout the country and around the world. By integrating high-quality resources, systems and personnel, Schneider Downs has built a reputation of delivering individualized services built on insight, innovation, and experience to meet each client’s specific needs. For more information, visit us at www.schneiderdowns.com

SchneiderDowns 64